rfc2284.txt

改文件中包含了三个协议

      4 for Failure.

   Identifier

      The Identifier field is one octet and aids in matching replies to
      Responses.  The Identifier field MUST match the Indentifier field
      of the Response packet that it is sent in response to.

   Length

      4

3.  Initial EAP Request/Response Types

   This section defines the initial set of EAP Types used in
   Request/Response exchanges.  More Types may be defined in follow-on
   documents.  The Type field is one octet and identifies the structure
   of an EAP Request or Response packet.  The first 3 Types are
   considered special case Types.  The remaining Types define
   authentication exchanges.  The Nak Type is valid only for Response
   packets, it MUST NOT be sent in a Request.  The Nak Type MUST only be






Blunk & Vollbrecht          Standards Track                     [Page 8]

RFC 2284                          EAP                         March 1998


   sent in repsonse to a Request which uses an authentication Type code.
   All EAP implementatins MUST support Types 1-4.  These Types, as well
   as types 5 and 6, are defined in this document.  Follow-on RFCs will
   define additional EAP Types.

      1       Identity
      2       Notification
      3       Nak (Response only)
      4       MD5-Challenge
      5       One-Time Password (OTP) (RFC 1938)
      6       Generic Token Card

3.1.  Identity

   Description

      The Identity Type is used to query the identity of the peer.
      Generally, the authenticator will issue this as the initial
      Request.  An optional displayable message MAY be included to
      prompt the peer in the case where there expectation of interaction
      with a user.  A Response MUST be sent to this Request with a Type
      of 1 (Identity).

         Implementation Note:  The peer MAY obtain the Identity via user
         input.  It is suggested that the authenticator retry the
         Indentity Request in the case of an invalid Identity or
         authentication failure to allow for potential typos on the part
         of the user.  It is suggested that the Identity Request be
         retried a minimum of 3 times before terminating the
         authentication phase with a Failure reply.  The Notification
         Request MAY be used to indicate an invalid authentication
         attempt prior to transmitting a new Identity Request
         (optionally, the failure MAY be indicated within the message of
         the new Identity Request itself).

   Type

      1

   Type-Data

      This field MAY contain a displayable message in the Request.  The
      Response uses this field to return the Identity.  If the Identity
      is unknown, this field should be zero bytes in length.  The field
      MUST NOT be null terminated.  The length of this field is derived
      from the Length field of the Request/Response packet and hence a
      null is not required.




Blunk & Vollbrecht          Standards Track                     [Page 9]

RFC 2284                          EAP                         March 1998


3.2.  Notification

   Description

      The Notification Type is optionally used to convey a displayable
      message from the authenticator to the peer.   The peer SHOULD
      display this message to the user or log it if it cannot be
      displayed.  It is intended to provide an acknowledged notification
      of some imperative nature.  Examples include a password with an
      expiration time that is about to expire, an OTP sequence integer
      which is nearing 0, an authentication failure warning, etc.   In
      most circumstances, notification should not be required.

   Type

      2

   Type-Data

      The Type-Data field in the Request contains a displayable message
      greater than zero octets in length.  The length of the message is
      determined by Length field of the Request packet.  The message
      MUST not be null terminated.  A Response MUST be sent in reply to
      the Request with a Type field of 2 (Notification).  The Type-Data
      field of the Response is zero octets in length.   The Response
      should be sent immediately (independent of how the message is
      displayed or logged).

3.3.  Nak

   Description

      The Nak Type is valid only in Response messages.  It is sent in
      reply to a Request where the desired authentication Type is
      unacceptable.   Authentication Types are numbered 4 and above.
      The Response contains the authentication Type desired by the peer.

   Type

      3

   Type-Data

      This field MUST contain a single octet indicating the desired
      authentication type.






Blunk & Vollbrecht          Standards Track                    [Page 10]

RFC 2284                          EAP                         March 1998


3.4.  MD5-Challenge

   Description

      The MD5-Challenge Type is analagous to the PPP CHAP protocol [3]
      (with MD5 as the specified algorithm).  The PPP Challenge
      Handshake Authentication Protocol RFC [3] should be referred to
      for further implementation specifics.  The Request contains a
      "challenge" message to the peer.  A Repsonse MUST be sent in reply
      to the Request.  The Response MAY be either of Type 4 (MD5-
      Challenge) or Type 3 (Nak).   The Nak reply indicates the peer's
      desired authentication mechanism Type.  All EAP implementations
      MUST support the MD5-Challenge mechanism.

   Type

      4

   Type-Data

      The contents of the Type-Data  field is summarized below.  For
      reference on the use of this fields see the PPP Challenge
      Handshake Authentication Protocol [3].

       0                   1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |  Value-Size   |  Value ...
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |  Name ...
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

3.5.  One-Time Password (OTP)

   Description

      The One-Time Password system is defined in "A One-Time Password
      System" [4].  The Request contains a displayable message
      containing an OTP challenge.  A Repsonse MUST be sent in reply to
      the Request.  The Response MUST be of Type 5 (OTP) or Type 3
      (Nak).  The Nak reply indicates the peer's desired authentication
      mechanism Type.

   Type

      5





Blunk & Vollbrecht          Standards Track                    [Page 11]

RFC 2284                          EAP                         March 1998


   Type-Data

      The Type-Data field contains the OTP "challenge" as a displayable
      message in the Request.  In the Response, this field is used for
      the 6 words from the OTP dictionary [4].  The messages MUST not be
      null terminated.  The length of the field is derived from the
      Length field of the Request/Reply packet.

3.6.  Generic Token Card

   Description

      The Generic Token Card Type is defined for use with various Token
      Card implementations which require user input.   The Request
      contains an ASCII text message and the Reply contains the Token
      Card information necessary for authentication.  Typically, this
      would be information read by a user from the Token card device and
      entered as ASCII text.

   Type

      6

   Type-Data

      The Type-Data field in the Request contains a displayable message
      greater than zero octets in length.  The length of the message is
      determined by Length field of the Request packet.  The message
      MUST not be null terminated.  A Response MUST be sent in reply to
      the Request with a Type field of 6 (Generic Token Card).  The
      Response contains data from the Token Card required for
      authentication.  The length is of the data is determined by the
      Length field of the Response packet.

Security Considerations

   Security issues are the primary topic of this RFC.

   The interaction of the authentication protocols within PPP are highly
   implementation dependent.

   For example, upon failure of authentication, some implementations do
   not terminate the link.  Instead, the implementation limits the kind
   of traffic in the Network-Layer Protocols to a filtered subset, which
   in turn allows the user opportunity to update secrets or send mail to
   the network administrator indicating a problem.





Blunk & Vollbrecht          Standards Track                    [Page 12]

RFC 2284                          EAP                         March 1998


   There is no provision for retries of failed authentication.  However,
   the LCP state machine can renegotiate the authentication protocol at
   any time, thus allowing a new attempt.  It is recommended that any
   counters used for authentication failure not be reset until after
   successful authentication, or subsequent termination of the failed
   link.

   There is no requirement that authentication be full duplex or that
   the same protocol be used in both directions.  It is perfectly
   acceptable for different protocols to be used in each direction.
   This will, of course, depend on the specific protocols negotiated.

   In practice, within or associated with each PPP server, it is not
   anticipated that a particular named user would be authenticated by
   multiple methods.  This would make the user vulnerable to attacks
   which negotiate the least secure method from among a set (such as PAP
   rather than EAP).  Instead, for each named user there should be an
   indication of exactly one method used to authenticate that user name.
   If a user needs to make use of different authentication methods under
   different circumstances, then distinct identities SHOULD be employed,
   each of which identifies exactly one authentication method.

References

   [1]   Simpson, W., "The Point-to-Point Protocol (PPP)", STD 51,
         RFC 1661, July 1994.

   [2]   Reynolds, J. and J. Postel, "Assigned Numbers", STD 2,
         RFC 1700, October 1994.

   [3]   Simpson, W., "PPP Challenge Handshake Authentication Protocol
         (CHAP)", RFC 1994, August 1996.

   [4]   Haller, N. and C. Metz, "A One-Time Password System", RFC 1938,
         May 1996.

   [5]   Yergeau, F., "UTF-8, a transformation format of Unicode and ISO
         10646", RFC 2044, October 1996.

   [6]   Bradner, S., "Key words for use in RFCs to Indicate Requirement
         Levels", RFC 2119, March 1997.










Blunk & Vollbrecht          Standards Track                    [Page 13]

RFC 2284                          EAP                         March 1998


Acknowledgments

   This protocol derives much of its inspiration from Dave Carrel's AHA
   draft as well as the PPP CHAP protocol [3].  Bill Simpson provided
   much of the boilerplate used throughout this document.   Al Rubens
   (Merit) also provided valuable feedback.

Chair's Address

   The working group can be contacted via the current chair:

   Karl F. Fox
   Ascend Communications, Inc.
   655 Metro Place South, Suite 370
   Dublin, Ohio  43017

   EMail: karl@ascend.com
   Phone: +1 614 760 4041
   Fax:   +1 614 760 4050

Authors' Addresses

   Larry J. Blunk
   Merit Network, Inc.
   4251 Plymouth Rd., Suite C
   Ann Arbor, MI  48105

   EMail: ljb@merit.edu
   Phone: 734-763-6056
   FAX:   734-647-3185


   John R. Vollbrecht
   Merit Network, Inc.
   4251 Plymouth Rd., Suite C
   Ann Arbor, MI  48105

   EMail: jrv@merit.edu
   Phone: +1-313-763-1206
   FAX: +1-734-647-3185











Blunk & Vollbrecht          Standards Track                    [Page 14]

RFC 2284                          EAP                         March 1998


Full Copyright Statement

   Copyright (C) The Internet Society (1998).  All Rights Reserved.

   This document and translations of it may be copied and furnished to
   others, and derivative works that comment on or otherwise explain it
   or assist in its implementation may be prepared, copied, published
   and distributed, in whole or in part, without restriction of any
   kind, provided that the above copyright notice and this paragraph are
   included on all such copies and derivative works.  However, this
   document itself may not be modified in any way, such as by removing
   the copyright notice or references to the Internet Society or other
   Internet organizations, except as needed for the purpose of
   developing Internet standards in which case the procedures for
   copyrights defined in the Internet Standards process must be
   followed, or as required to translate it into languages other than
   English.

   The limited permissions granted above are perpetual and will not be
   revoked by the Internet Society or its successors or assigns.

   This document and the information contained herein is provided on an
   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
























Blunk & Vollbrecht          Standards Track                    [Page 15]